Hello everyone,
I’ve been having a lot of trouble with configuring a restricted certificate in such a way that is has full access to a single storage pool.
I’ve been documenting these steps as I go, and then uploading them to my blog:
https://moonpiedumplings.github.io/projects/build-server-6/#authorization
This has everything I’ve tried and why it ended up not working.
I’m currently at this:
ef authorize(details, object, entitlement):
if details.Username == "96bd207fe6a1b5ca48284f012e036fff43126870c52949479fe5647c61791db2":
return True
if details.Username == "025a3516ca2c622a93446548954e33d75eafa3e8173d0d6a435fc27d4072932e":
if object.startswith("storage_pool:"):
if object != "storage_pool:layer8":
return False
return True
if details.IsAllProjectsRequest == True:
return False
if object == "project:layer8":
if entitlement == "can_view":
return True
if details.ProjectName == "layer8":
return True
if details.ProjectName == "default":
if entitlement == "can_view_resources":
return True
if object == "server:incus":
if entitlement == "can_view":
return True
if entitlement == "can_view_resources":
return True
else:
return False
But this doesn’t restrict the certificate I want to be restricted, the latter one, from uploading isos to the default
storage pool.
Also1: Is this some kind of XY problem? Do I even need to separate storage pools, if isolating volumes prevents users with access to the same storage pool from messing with eachother?
(Although in the future I may want separate storage pools)
Also1: Is this an XY problem of some kind? Is there anything nefarious that can be deployed to
Also2: once I’m done, and figured this out, I would like to turn my notes into documentation for the authorization scriptlet, since it seems to be a useful feature, but the documentation is lacking.